The SolarWinds breach, discovered last year, demonstrated how, with enough sophistication, malware can “phone home” for years, completely undetected. The hackers found ways around the common approaches to scanning outbound traffic on an enterprise network.
Their communications were hidden inside existing legitimate communication channels – such as the vendor's own software update mechanism – and the communications were headed for AWS servers.
"They spun up their servers right here in America, so it looked like normal traffic," said Vincent Berk, CTO and chief security architect at Riverbed, a San Francisco-based network performance monitoring vendor. Shutting down AWS traffic would be unthinkable for most data centers.
The most common detection tactics are to look for suspicious data in outbound traffic (credit card numbers, for example) or to see whether any traffic is bound for suspicious destinations (is it headed for a server in North Korea?). No such red flags appear to have gone up in the case of the vast SolarWinds breach.
For most malware, communication with its owners, be it to exfiltrate data or just to check in with command-and-control for further instructions, is an essential capability. And today, enterprise network defenders are lagging in the communications arms race.
The Man-in-the-Middle Defense
One cybersecurity startup, formed by three former high-ranking US government cybersecurity officials, claims to have found a novel way to pull ahead. Trinity Cyber’s technology cleans data traffic both in and out of an organization by actively replacing malicious content with benign.
It's a new approach in the market, Gartner analyst Peter Shoard said in a recent report: "Trinity Cyber is able to send false responses to adversaries to confuse and divert them from their objective, leaving them not really understanding why they have not been successful."
In effect, it's a man-in-the-middle tactic, except that instead of being a tool of cybercrime it’s being applied to fight it.
Trinity Cyber’s service sits just outside a data center's perimeter. It's the first stop when traffic leaves the enterprise network, or the last hop before it enters it. And it doesn't replace existing firewalls, intrusion detection systems, or endpoint protection. Instead, it acts as an additional layer of defense, one that focuses on specific techniques that attackers use rather than scanning traffic for known indicators of compromise.
The company claims that it can catch double or triple the number of incidents that a typical next-gen firewall can with a "nearly zero" false-positive rate. Once malicious traffic is discovered, customers can block it, take other traditional steps, or modify it and let it go through.
"We've not heard of anyone else in this market," said Tom Bossert, the company's president and one of its founders. "We feel like we're a new subsector, or a new quadrant."
Bossert served as the top cybersecurity advisor in the Trump White House before being pushed out in 2018. His co-founders at Trinity are CEO Steve Ryan, a former deputy director at the National Security Agency, and Marie Sciarrone, who advised George W. Bush’s administration on cybersecurity matters.
A typical example of a problem Trinity Cyber is designed to address is that of DNS data exfiltration. Attackers take advantage of extra fields in the DNS protocol that don't usually carry information and insert their own data into them. This can be used to both exfiltrate data out of a data center and to smuggle malware into an environment.
Shutting down infected DNS traffic can cut the data center off from the internet. Plus, it tells the bad guys they've been discovered. The malware can be set to automatically trigger an encryption attack, maliciously wipe systems, look for another communication channel, or to start erasing all traces of itself.
"The signals in these data fields are really hard to detect," Ryan told DCK. "There are so many protocols and file types out there that let bad guys load anything they want on top."
It doesn't even matter if the data the attackers are sending is encrypted. "We can see that it doesn't belong, and we can see that it's high-entropy encrypted data, and we take it out," he said.
Trinity Cyber doesn't currently look for every possible type of data exfiltration method. Take, for example, timing-based attacks.
Almost anything can become a communication method, Riverbed’s Berk told DCK. "Anything you can modify, you can encode data in it."
If malware can control the timing of messages, it can use the delays themselves as communication. In the simplest case, a long pause between packets could be a ‘one,’ and a short pause could be a ‘zero.’
A few years ago, this would have been a very slow way to send information. But today's data centers send more data at higher speeds than ever before.
"On a 100 Gigabit network, you have kilobits per second of exfiltration capacity," Berk said. "Nobody will ever know what you're doing -- it's virtually undetectable."
And once a hacker comes up with an idea, building a system to do this isn't that hard, he said. "It might take an attacker a few days to build that kind of exfiltration channel. And it can take months or years to build a detector for that kind of exfiltration."
To detect this specific communication, data centers would need to look at the distribution of packet timings, Berk said.
"I spent a long time at the NSA," Trinity Cyber’s Ryan said. "Timing was a technique that we played with."
Trinity has the ability to look at the full content of every internet session and spot a timing attack happening, but it isn't doing that yet.
"If you can describe what a threat looks like in a network session, we can find it," he said. But there are so many simpler exfiltration options at hackers’ disposal today that this isn’t a widely used method.
If that changes, though, and attackers start using timing attacks (or other novel methods that involve a network session), Trinity is prepared, Bossert said. "We have the infrastructure and the engineering to do it."
Once an attack is identified and neutralized, Trinity Cyber will forward all the relevant information to the data center's security team. That includes human-readable descriptions of what's going on and machine-readable data that the SIEMs and firewall tools like to see.
Data Theft Getting Hotter
Cyber attacks meant to exfiltrate data are on the rise, giving malware’s ability to phone home even more importance. Even ransomware specialists are getting into the exfiltration game, said Liz Miller, VP and principal analyst at Constellation Research.
According to a recent report by cybersecurity vendor Coveware, 70 percent of ransomware attacks in the fourth quarter of 2020 threatened to leak exfiltrated data – up from 43 percent in the third quarter.
The fact that attackers want their malware to communicate with them gives data center security managers an opportunity to block the attacks. If they detect suspicious traffic, they can cut off the communications and trace it back to its source to shut down the infection.
"Outbound traffic should be analyzed, classified, and filtered as part of the organization’s overall network traffic security plan," said Chris Williams, cyber solution architect at Capgemini. "In particular, traffic to unknown or questionable websites should be intercepted, decrypted, and analyzed."
Many Ways to Phone Home Undetected
Timing attacks are just one of many hard-to-detect communication strategies available to hackers.
Another possible communication method is modifying header flags in TCP/IP messages. "Those can be really hard to find," said Berk.
He recommends that data center cybersecurity managers dramatically expand the kind of log data they collect.
"I can try to record what happens on my network, what happens on my end points, what happens on my servers," he said. "I don't know today what I'll need to look at tomorrow. We need good multi-angle visibility and forensic history."
The Poor State of Monitoring
“Only the most advanced organizations are monitoring outbound TCP/IP connections, and that monitoring is complex and expensive," said Capgemini's Williams. "With widespread use of encryption on web browsing, monitoring web browsing is harder than ever."
That's just TCP/IP traffic. When it comes to other protocols, monitoring is all but nonexistent.
"This is a difficult problem to address, because there tend to be so many outbound connection pathways from typical organizations," said Williams.
Many of those channels are normally legitimate and cutting them off would hurt operations. For example, attackers have been known to hijack DNS communications, vendor backchannels – like that of SolarWinds – or traffic to legitimate websites, where attackers have compromised plugins, add-ons, ads, or embeds.
Attackers have also bought legitimate but expired domains in sensitive categories like banking or health care, said Mathieu Saulnier, senior manager of security incident response at Syntax, managed cloud provider for mission-critical applications.
"Domains belonging to those categories are usually excluded from SSL decryption to avoid GDPR and other regulations issues," he told DCK.
As attackers keep changing up their strategies, the tools used to look for suspicious traffic also need to change.
"Signature-based tools only detect known, defined attacks," Bob Peterson, security and CTO architect at Sungard Availability Services, told DCK. "Anomaly detection looks for changes in behavior and things that look abnormal." But anomaly detection becomes less effective as traffic becomes more variable.
"Artificial intelligence and machine learning are still dependent on the algorithms used, the volume of data, and types of data," he added. "Encryption of the outbound traffic also tends to severely limit many detection tools."
That often translates to defenders manually monitoring or analyzing logs, said Constellation Research's Miller. The task is tedious, difficult, and carried out sporadically.
"It is difficult because it is wildly complex, constantly moving, and accelerating in speed," she said. "The tools we use to monitor and analyze traffic and attacks might keep up with alerts and notifications but can’t actually clone or accelerate the people charged with securing these systems."
That doesn't mean data center security staff are to blame, she said. It's a herculean task. "It is just quite literally impossible to outrun the rain."